CVE-2023-37602

MEDIUM

Alkacon OpenCMS 15.0 - Arbitrary File Upload and Remote Code Execution via PNG File

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-37602. PoCs published by tmrswrr.

AI-analyzed exploit summary This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Alkacon OpenCMS 15.0. It includes payloads for injecting malicious scripts via file metadata and SVG uploads, triggering alerts to confirm execution.

Description

An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.

Exploits (1)

exploitdb WORKING POC

by tmrswrr · textwebappsjava

https://www.exploit-db.com/exploits/51564

View Code ZIP pw:eip

This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Alkacon OpenCMS 15.0. It includes payloads for injecting malicious scripts via file metadata and SVG uploads, triggering alerts to confirm execution.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Alkacon OpenCMS v15.0

Auth required

Prerequisites: Access to the OpenCMS workplace interface · Valid credentials for authentication · Ability to upload or modify files

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/51564

Scores

CVSS v3 6.1

EPSS 0.0035

EPSS Percentile 58.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

alkacon/opencms 15.0.0

org.opencms/opencms-core 0Maven

Published Jul 20, 2023

Tracked Since Feb 18, 2026